[KYUUBI #6927] add spnego ui with session manager. add spnego end-to-end ui rest#17
[KYUUBI #6927] add spnego ui with session manager. add spnego end-to-end ui rest#17paradoxfm wants to merge 4 commits into1.10.1-developfrom
Conversation
| server.addHandler(authenticationFactory.httpHandlerWrapperFactory.wrapHandler(proxyHandler)) | ||
| if (conf.get(FRONTEND_REST_UI_ENABLED)) { | ||
| installWebUI() | ||
| // JettyUtils.createStaticHandlerSpnego("", "", "", "", "") |
| val principal = authenticate(httpReq, httpResp) // auth SPNEGO | ||
|
|
||
| if (principal != null) { | ||
| // Создаем новую сессию |
There was a problem hiding this comment.
All comments must be in English.
| val authorization = getAuthorization(request) | ||
| val clientToken = Base64.getDecoder.decode(authorization) | ||
| try { | ||
| debug("step by step spnego ui") |
| try { | ||
| debug("step by step spnego ui") | ||
| val serverPrincipal = getTokenServerName(clientToken) | ||
| debug("step 2 getTokenServerName") |
| s"Invalid server principal $serverPrincipal decoded from client request") | ||
| } | ||
|
|
||
| debug("step 3 startsWith") |
| } | ||
| }) | ||
|
|
||
| debug("step 4 doAs") |
| } | ||
| if (!gssContext.isEstablished) { | ||
| response.setStatus(HttpServletResponse.SC_UNAUTHORIZED) | ||
| debug("SPNEGO in progress") |
| private var serverSubject = new Subject() | ||
| private var keytab: String = _ | ||
| private var principal: String = _ | ||
| private val sessionTimeout = conf.get(KyuubiConf.SESSION_IDLE_TIMEOUT).toInt |
There was a problem hiding this comment.
SESSION_IDLE_TIMEOUT measure in seconds, but all numbers in config stored as long
it`s preconversion for usage
There was a problem hiding this comment.
With the current code and default config, the session will live 21 600 000 seconds instead of 6 hours.
There was a problem hiding this comment.
its not a constant and also configurable
There was a problem hiding this comment.
fallbackConf(SESSION_TIMEOUT)
createWithDefault(Duration.ofHours(6).toMillis)
There was a problem hiding this comment.
you can change it in kyuubi.defaults -> kyuubi.session.idle.timeout
| httpResp.setHeader(WWW_AUTHENTICATE_HEADER, "Negotiate") // it must before sendError | ||
| httpResp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "No SPNEGO token") | ||
|
|
||
| case authHeader if authHeader.startsWith("Negotiate ") => |
There was a problem hiding this comment.
in this case must be with space, because exists variants with "Negotiate-something" etc
| httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED) | ||
| if (conf.get(FRONTEND_REST_UI_SPNEGO_ENABLED)) { | ||
| // For using rest from ui required end-to-end auth | ||
| httpResponse.setHeader(WWW_AUTHENTICATE_HEADER, "Negotiate") |
There was a problem hiding this comment.
What about requests that are not from the UI - /v1/*?
There was a problem hiding this comment.
this header indicates client to what protocol work with. it does not change normal work mode
There was a problem hiding this comment.
Many HTTP clients auto-react to this header. It change auth scheme priority.
There was a problem hiding this comment.
it header will be added if matchedHandler == null. it mean that other schemes not found
There was a problem hiding this comment.
matchedHandler == null means that the client has not yet attempted to authenticate.
What will happen with LDAP + UI Spnego case?
There was a problem hiding this comment.
spnego works only kerberros. its end-to-end scheme. ui -> rest -> ...
|
Please add tests to AuthenticationFilterSuite. |
|
Why create a new SpnegoSessionFilter instead of work with the KerberosAuthenticationHandler? The SPNEGO logic in both classes is identical. |
because I need manage sessions, heades and hander wothks readonly, and does not work with principal start with HTTP/ |
readonly? |
I`ll try |
2 participants
Add spnego ui with session manager. add spnego end-to-end ui rest
Fix bug apache#6927
add conf parameter kyuubi.frontend.rest.ui.spnego.enabled
this functional also use spnego rest config